This rule detects when Azure storage account blob versioning is disabled, which can pose a security risk by removing protections against accidental deletion or modification of data. Disabling blob versioning may suggest preparation for data destruction or misconfiguration, substantially increasing the risk of unintentional data loss. Organizations employing Azure should ensure that blob versioning remains enabled to safeguard against potential data breaches and ensure compliance with data retention policies. The monitoring setup includes querying Azure Monitor Activity logs to track changes in storage account settings and examining the context of operations based on the IP addresses involved. Additionally, the rule correlates with the MITRE ATT&CK framework, specifically addressing indicators of data destruction attacks while providing guidance for responding to potential threats.